geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <david.blev...@visi.com>
Subject Re: What to do about remote login in geronimo 2.0/openejb 3.0?
Date Fri, 06 Jul 2007 16:59:32 GMT

On Jul 5, 2007, at 5:44 PM, David Jencks wrote:

>
> On Jul 5, 2007, at 12:03 PM, David Blevins wrote:
>
>> How were we doing web services security before?  Did it work for  
>> EJBs too? (maybe that was the issue).
>
> Web services security works and worked fine.  AFAICT it's using  
> BASIC web authentication.  Anyway we tell the web services client a  
> user and password and it gets sent with the message and logged in  
> and everything works.  The user/pw comes out of a private  
> credential in the Subject.  In order for this to get into the  
> Subject we need a login module running locally on the client to put  
> it there.  All this is working fine and has worked fine for a long  
> time.
>
> The problem is that in order to call an ejb we (currently) need  
> remote login modules on the client that are actually running on the  
> server and get the identification principal back to the client  
> subject.  We seem to be able to configure logins that use either  
> only remote modules or only local modules but I haven't been able  
> to figure out how to configure something that uses both a local  
> login module for the web services AND in the same login  
> configuration a remote module for openejb.

Hmm.  I can definitely see similarities and what you're feeling  
around for.  The paradigm is essentially the same on the client-side;  
pull user/pw from userland, then put it in a known code location  
(subject, static) where it will be fished out on request.  The server- 
side is also the same being a plain user/pw login.  Could be possible  
not just to use the same login configuration but the same login module.

> I also find the code and configuration around remote login modules  
> to be incredibly hard to understand and confusing so I'd rather  
> come up with something that appears to involve a little less magic.

Amen.

>>
>> I really lost you when you stated an issue with web services  
>> security then jumped to solving the problem in the protocol that  
>> doesn't use web services.  I can't figure out how these things  
>> connect.
>
> Just possibly the above will help :-)
>
> Anyway after perusing the jaspi spec some more I don't want to  
> promise to implement it by geronimo 2.0 so I'm now trying option  
> (0) and hope to have a proposed patch friday.  [...] I think this  
> special purpose solution will be a lot simpler and easier to  
> understand than the geronimo code and will work fine while we think  
> about jaspi.

Sounds like a plan.

-David




Mime
View raw message